PT-2026-42132 · Nlnet+4 · Unbound+4

Qifan Zhang

·

Published

2026-05-20

·

Updated

2026-06-30

·

CVE-2026-42959

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions NLnet Labs Unbound versions prior to 1.25.1
Description A denial of service issue exists in the DNSSEC validator. When constructing chase-reply messages for validation, the software uses an incorrect counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication can increase the ANSWER section count, while authority filtering can decrease the AUTHORITY section count, creating an uninitialized array slot. The validator subsequently dereferences this uninitialized pointer, leading to a process crash. An attacker controlling a DNSSEC-signed domain can trigger this by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records along with signed ADDITIONAL glue records.
Recommendations Update to version 1.25.1.

Fix

DoS

Access of Uninitialized Pointer

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

ALSA-2026:23231
ALSA-2026:24365
ALSA-2026:24369
CVE-2026-42959
ECHO-2FCE-8B09-C05E
OPENSUSE-SU-2026:10903-1
OPENSUSE-SU-2026:21083-1
RHSA-2026:23231
RHSA-2026:24365
RHSA-2026:24369
SUSE-SU-2026:22160-1
SUSE-SU-2026:22213-1
SUSE-SU-2026:2369-1
USN-8282-1
USN-8282-2

Affected Products

Freebsd
Linuxmint
Rocky Linux
Ubuntu
Unbound